Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated:
1
00:00:00,230 --> 00:00:01,900
So very quick lecture, but if you wanted
2
00:00:01,900 --> 00:00:05,700
to migrate an EC2 instance from one AZ to another,
3
00:00:05,700 --> 00:00:07,880
well the way you would do it is using an AMI.
4
00:00:07,880 --> 00:00:10,130
So, in this example, we want to migrate our EC2 instance
5
00:00:10,130 --> 00:00:13,630
from us-east-1a to us-east-1b, in which case, first
6
00:00:13,630 --> 00:00:17,420
we take an AMI from our EC2 instance and then restore
7
00:00:17,420 --> 00:00:21,680
that AMI into a new EC2 instance, in a different AZ
8
00:00:21,680 --> 00:00:24,310
which by default will have the same data
9
00:00:24,310 --> 00:00:26,160
and the same file system and the same applications
10
00:00:26,160 --> 00:00:28,730
because the AMI was taken from the original one.
11
00:00:28,730 --> 00:00:31,960
So, that's it super simple to see, but good to know.
12
00:00:31,960 --> 00:00:34,370
And if you want to see this, well, the AMI here
13
00:00:34,370 --> 00:00:37,660
my instance is in eu-central-1c, okay?
14
00:00:37,660 --> 00:00:40,010
And an image was taken from it.
15
00:00:40,010 --> 00:00:41,080
And so what I can do is
16
00:00:41,080 --> 00:00:45,500
that I can launch an image from this AMI module to micro
17
00:00:45,500 --> 00:00:48,050
and then here I'm able to select a specific AZ
18
00:00:48,050 --> 00:00:50,690
so, a specific subnet, and it could be for example
19
00:00:50,690 --> 00:00:53,220
this one to have it in eu-central-1b
20
00:00:53,220 --> 00:00:54,790
and then I would be good to go.
21
00:00:54,790 --> 00:00:56,860
So, let's say for this lecture, I hope you liked it
22
00:00:56,860 --> 00:00:59,420
and I will see you in the next lecture.
23
00:00:59,420 --> 00:01:01,910
Okay, so now let's talk about cross account AMI sharing.
24
00:01:01,910 --> 00:01:03,260
That means that you're sharing your AMI
25
00:01:03,260 --> 00:01:04,830
with another AWS account.
26
00:01:04,830 --> 00:01:06,570
In this case, when you share an AMI
27
00:01:06,570 --> 00:01:08,760
it does not affect the ownership of the AMI,
28
00:01:08,760 --> 00:01:10,040
you still have it, okay?
29
00:01:10,040 --> 00:01:12,660
And you can share an AMI for in two cases.
30
00:01:12,660 --> 00:01:15,360
Number one, if the volume is unencrypted
31
00:01:15,360 --> 00:01:17,240
and that means you can share it with another account
32
00:01:17,240 --> 00:01:21,040
or even share the AMI publicly, or if it's encrypted
33
00:01:21,040 --> 00:01:24,790
it has to be encrypted with your own customer managed key
34
00:01:24,790 --> 00:01:27,420
and we'll see the process for that as well.
35
00:01:27,420 --> 00:01:29,460
If you are sharing the, what I mean is
36
00:01:29,460 --> 00:01:31,740
that if you're sharing the AMI with an encrypted volume
37
00:01:31,740 --> 00:01:34,490
that means that you need to share any key that is attached
38
00:01:34,490 --> 00:01:35,730
to that volume as well
39
00:01:35,730 --> 00:01:37,600
that was used to encrypt and decrypt that volume
40
00:01:37,600 --> 00:01:40,510
otherwise the targeted account cannot use your volume.
41
00:01:40,510 --> 00:01:42,700
So, let's take an example, a simple one.
42
00:01:42,700 --> 00:01:43,640
We have account A
43
00:01:43,640 --> 00:01:47,260
and this is an unencrypted AMI in your source accounts
44
00:01:47,260 --> 00:01:49,610
and you're just going to share it with account B.
45
00:01:49,610 --> 00:01:52,470
And then the account B can launch directly
46
00:01:52,470 --> 00:01:56,310
an EC2 instance from that source AMI, very simple.
47
00:01:56,310 --> 00:01:58,090
Now, if you add KMS encryption
48
00:01:58,090 --> 00:02:00,860
we have the same use case, but this time your AMI
49
00:02:00,860 --> 00:02:03,940
is actually encrypted with your CMK-A, okay?
50
00:02:03,940 --> 00:02:05,990
And what you're going to do is that you're going to share
51
00:02:05,990 --> 00:02:08,250
this AMI with your account B
52
00:02:08,250 --> 00:02:10,610
but also you're going to share the KMS key.
53
00:02:10,610 --> 00:02:11,780
Okay, your CMK.
54
00:02:11,780 --> 00:02:14,120
And you're going to give permissions to the target accounts
55
00:02:14,120 --> 00:02:17,460
to describe the key to decrypt to re-encrypt and so on.
56
00:02:17,460 --> 00:02:19,280
And this will allow the target accounts
57
00:02:19,280 --> 00:02:20,950
to launch your custom AMI,
58
00:02:20,950 --> 00:02:22,450
even though it was encrypted
59
00:02:22,450 --> 00:02:25,250
with a key from your accounts, okay?
60
00:02:25,250 --> 00:02:27,670
Next, you can have the cross account AMI copy.
61
00:02:27,670 --> 00:02:29,450
So, you have sharing and copying.
62
00:02:29,450 --> 00:02:32,260
If you copy an AMI that has been shared with your accounts
63
00:02:32,260 --> 00:02:35,670
you are then the owner of the target AMI in your accounts.
64
00:02:35,670 --> 00:02:37,730
That means that the owner of the source AMI must grant you
65
00:02:37,730 --> 00:02:40,620
the read permissions for the storage that backs the AMI.
66
00:02:40,620 --> 00:02:43,330
So, the EBS snapshots, so it's a bit more involved.
67
00:02:43,330 --> 00:02:45,690
So, account B now has the permission to read
68
00:02:45,690 --> 00:02:48,300
the EBS snapshots behind the AMI.
69
00:02:48,300 --> 00:02:50,950
So, it can run a copy image, API call
70
00:02:50,950 --> 00:02:54,450
which will copy the source AMI into its own accounts.
71
00:02:54,450 --> 00:02:56,280
And in the process, for example
72
00:02:56,280 --> 00:02:58,630
you can encrypt the snapshot if you wanted to
73
00:02:58,630 --> 00:02:59,740
with your own keys.
74
00:02:59,740 --> 00:03:01,290
And as we'll see in the next slide
75
00:03:01,290 --> 00:03:03,330
if the shared AMI is an encrypted snapshot
76
00:03:03,330 --> 00:03:05,700
the owner must share the encrypted key
77
00:03:05,700 --> 00:03:07,740
or keys with you as well.
78
00:03:07,740 --> 00:03:10,630
And you can encrypt the AMI with your own CMK while copying
79
00:03:10,630 --> 00:03:13,130
So, let's have a look if we have KMS encryption
80
00:03:13,130 --> 00:03:14,130
in this example.
81
00:03:14,130 --> 00:03:17,680
So, we are sharing the underlying EBS snapshot
82
00:03:17,680 --> 00:03:20,210
and we still give KMS key permissions
83
00:03:20,210 --> 00:03:22,210
to the target accounts, okay?
84
00:03:22,210 --> 00:03:23,637
And the target accounts can issue
85
00:03:23,637 --> 00:03:27,420
a copy command to, for example, re-encrypt the EBS snapshot
86
00:03:27,420 --> 00:03:31,440
by decrypting it using the CMK-A that was given access to
87
00:03:31,440 --> 00:03:34,740
and re-encrypt it with CMK-B and its own accounts
88
00:03:34,740 --> 00:03:37,410
which will give a custom AMI that will be owned
89
00:03:37,410 --> 00:03:39,030
by the target account B
90
00:03:39,030 --> 00:03:41,500
with its own encryption mechanism, okay?
91
00:03:41,500 --> 00:03:44,740
So, that's it for how AMI copy and sharing works.
92
00:03:44,740 --> 00:03:46,820
So, if you have an AMI, what you can do
93
00:03:46,820 --> 00:03:48,310
as you can see is that
94
00:03:48,310 --> 00:03:52,060
if this AMI was shared with you, you could copy that AMI
95
00:03:52,060 --> 00:03:54,610
and this would let you get your own copy of the AMI,
96
00:03:54,610 --> 00:03:57,240
regardless of the sharing options afterwards.
97
00:03:57,240 --> 00:03:59,580
Or if you take that AMI itself
98
00:03:59,580 --> 00:04:02,070
you can have a look at the permissions in here
99
00:04:02,070 --> 00:04:03,800
and you can edit these permissions.
100
00:04:03,800 --> 00:04:08,200
So, what you would do is action, edit AMI permissions.
101
00:04:08,200 --> 00:04:10,260
And in here you have multiple options.
102
00:04:10,260 --> 00:04:13,437
So, if your AMI was private
103
00:04:13,437 --> 00:04:16,370
it could be encrypted or unencrypted
104
00:04:16,370 --> 00:04:19,680
or if it was unencrypted, you could make it public, okay?
105
00:04:19,680 --> 00:04:23,320
And you have people around the world that can use your AMI
106
00:04:23,320 --> 00:04:25,140
so, be careful with that.
107
00:04:25,140 --> 00:04:28,120
Also, if you, it was private and you want to share it
108
00:04:28,120 --> 00:04:31,360
with specific accounts organizations or OUs
109
00:04:31,360 --> 00:04:34,910
then you would allow here to add account ID's
110
00:04:34,910 --> 00:04:36,400
and you enter the account ID's.
111
00:04:36,400 --> 00:04:38,760
If you wanted to share with individual accounts
112
00:04:38,760 --> 00:04:41,470
or if you wanted to share with an entire organization
113
00:04:41,470 --> 00:04:46,470
or OUs then you would add the Org/ARN or the OU ARN, okay?
114
00:04:47,780 --> 00:04:49,990
And finally, when you do a sharing
115
00:04:49,990 --> 00:04:54,050
you can click here to add the create volume permission
116
00:04:54,050 --> 00:04:55,170
to the associated snapshots
117
00:04:55,170 --> 00:04:56,827
when creating account permissions.
118
00:04:56,827 --> 00:04:58,480
And this would allow the other accounts
119
00:04:58,480 --> 00:05:01,610
to use your AMI at will, okay?
120
00:05:01,610 --> 00:05:02,640
So, that's it for this lecture.
121
00:05:02,640 --> 00:05:03,740
I hope you liked it.
122
00:05:03,740 --> 00:05:05,690
And I will see you in the next lecture.
10277
Can't find what you're looking for?
Get subtitles in any language from opensubtitles.com, and translate them here.